Bugtraq mailing list archives
[Hackerslab bug_paper] Solaris chkperm buffer overflow
From: s96192 () CE HANNAM AC KR (±è¿ëÁØ KimYongJun (99Á¹¾÷))
Date: Thu, 6 Jan 2000 04:36:18 +0900
[Hackerslab bug_paper] Solaris chkperm buffer overflow File: /usr/vmsys/bin/chkperm SYSTEM: Solaris 2.x INFO: We all know that /usr/vmsys/bin/chkperm contains a mountain of known bugs. Here's one more that I found; The "Buffer Overflow" vulnerability. The problem occurs when it gets the argument. It accepts the argument without checking out its length, and this causes the problem. It seems that this vulnerability also applies to Solaris 7, the latest version. [Hackerslab:/users/loveyou/buf]$ chkperm -n `perl -e 'print "x" x 200'` Segmentation fault (core dumped) [hackerslab:/users/loveyou/buf]$ gdb chkperm core GDB is free software and you are welcome to distribute copies of it under certain conditions; type "show copying" to see the conditions. There is absolutely no warranty for GDB; type "show warranty" for details. GDB 4.16 (sparc-sun-solaris2.5.1), Copyright 1996 Free Software Foundation, Inc...(no debugging symbols found)... Core was generated by `./chkperm -n xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxx'. Program terminated with signal 11, Segmentation fault. Reading symbols from /usr/lib/libc.so.1...(no debugging symbols found)...done. Reading symbols from /usr/lib/libdl.so.1...(no debugging symbols found)...done. Reading symbols from /usr/platform/SUNW,Ultra-Enterprise/lib/libc_psr.so.1... (no debugging symbols found)...done. #0 0xef73ea68 in nvmatch () How to fix - Quick Reference -------------------------- it is recommended that the suid bit is removed from chkperm using command : chmod 400 /usr/vmsys/bin/chkperm - Yong jun Kim - e - mail : loveyou () securesoft co kr , loveyou () hackerslab org homepage: http://www.securesoft.co.kr , http://www.hackerslab.org bye~:)
Current thread:
- [Hackerslab bug_paper] Solaris chkperm buffer overflow ±è¿ëÁØ KimYongJun (99Á¹¾÷) (Jan 05)
- Re: [Hackerslab bug_paper] Solaris chkperm buffer overflow Darren Reed (Jan 06)
- <Possible follow-ups>
- Re: [Hackerslab bug_paper] Solaris chkperm buffer overflow Brock Tellier (Jan 06)
- Re: [Hackerslab bug_paper] Solaris chkperm buffer overflow Theodor Ragnar Gislason (Jan 07)
- Altavista followup rudi carell (Jan 09)